Cracks in the Cloud: The Next Frontier for Cybercrime

The advantages of cloud computing—scalability, speed to market, lower costs and higher productivity—are well known throughout most industries. But for cyber criminals, this new, borderless infrastructure is a potential goldmine.

According to a new Symantec survey on the state of enterprise data security, cloud security is a top concern for Indian chief information security officers (CISOs). Covering 1,100 CISOs across 11 global markets, the report reveals that CISOs in India are particularly concerned about their ability to respond quickly to attacks.

A widening scope for cloud-based attacksThe survey shows the extent to which cloud security is keeping Indian CISOs awake at night. Tellingly, almost all (91%) believe that ensuring cloud applications meet compliance regulations is one of the most stressful aspects of their job.

The industry compliance issues that they find most worrying include tracking broad sharing of compliance-controlled data in cloud applications (23%), governance of corporate-owned mobile devices (21%),

Other concerns include tracking of activities in sanctioned cloud applications (19%), country and region-specific data residency and control regulations (19%) and employee use of unsanctioned cloud applications (18%)

The widespread adoption of cloud applications, coupled with risky user behaviour that corporations may not even be aware of, is further widening the scope for cloud-based attacks. Indian CISOs estimate that, on average, 34% of cloud-based applications used at their company are unsanctioned, or ‘shadow apps’. The vast majority (87%) also believe that their Chief Executive Officer has probably broken internal security protocols at some point – either intentionally or unintentionally.

A need for end-to-end solutionsAs enterprises become more reliant on the cloud to improve collaboration and flexibility, it’s becoming increasingly difficult for CISOs to keep track of and secure sensitive company data, let alone maintain compliance with regulatory requirements. To bolster information security as their organisation’s data flows between on-premises systems, mobile applications and cloud services, 93% of Indian CISOs plan to increase spending on IT staff security training this year. On average, new IT employees will undergo 20 hours of security training during their onboarding process.

The need for data security, compliance, and residency is also driving Indian CISOs to look for encryption and/or tokenization solutions to support their Software as a Service (SaaS) initiatives. Symantec’s survey reveals that while 98% of Indian CISOs believe tokenization of cloud data is the best way to meet data residency and control regulations, only 77% use tokenization methods. And while 98% use encryption to secure their cloud data, 74% use both encryption and tokenization.

Despite such measures, security challenges remain. Cybercriminal groups are opportunistic in the way they operate, using flaws in legitimate operating systems, tools, and cloud services to compromise networks. To effectively counter such behaviours, CISOs require unparalleled visibility and control over sensitive content that users upload, store and share via the cloud. Rather than relying on one-off fixes and reactive patches to protect confidential information, successful CISOs are eradicating exploitable vulnerabilities by deploying proactive, end-to-end solutions.

Addressing cloud security through a holistic approach

Failure to ensure appropriate security protection when using cloud services could ultimately result in higher costs and potential loss of business, thus eliminating any of the potential benefits of cloud computing. To ensure success, organisations require a new model of integrated security which provides stronger protection, greater visibility and better control of critical assets, users, and data.

Addressing cloud security holistically creates operational efficiencies and allows Indian CISOs to take full advantage of the cloud. This approach guarantees their critical information is secure and protected, giving them the peace of mind they need to lead their companies in the data-driven era.